[Operators] Jabber.sk - stolen ejabberd databases

Friedrich Kron fritz_kron at yahoo.de
Fri Aug 31 14:10:34 UTC 2012


Hello Peter,

which services are you running at this host, maybe there are still some artefacts? for compromised servers you can try this one .. http://rootkit.nl/projects/rootkit_hunter.html

regards, Frz


On Aug 31, 2012, at 3:59 PM, Peter Viskup <skupko.sk at gmail.com> wrote:

> On 08/31/2012 12:24 PM, Mathias Ertl wrote:
>> Hi Peter,
>> 
>> On Fri, Aug 31, 2012 at 02:01:06AM +0200, Peter Viskup wrote:
>>> let me inform you all internal ejabberd databases of server
>>> jabber.sk were stolen. Please inform us in case you will be facing
>>> any suspicious activity from jabber.sk accounts. We already
>>> performed infrastructure inventory and it looks like they were
>>> interested only in ejabberd databases.
>>> Attacker used IP 188.126.79.56 which is registered in Sweden and one
>>> local system account was compromised.
>>> Will inform you once will have some other important information for you.
>> Did you find out how the attacker gained access?  Was any Jabber software
>> used to gain access?
>> 
>> greetings, Mati
>> 
> Hi Mathias and all,
> at this time we do not have evidence about any Jabber software used to gain access. They used weakness in our hosting infrastructure to access some of our systems. But we do not know how they reached ejabberd databases till now and the investigation is still ongoing.
> It looks like they were interested only in ejabberd databases as they didn't break any hosting service despite they got root access on one of our systems.
> It could be related to activities of syrian people using our server on last months.
> I am going to contact owner of that IP and ask them for help to get more information about this break attempt.
> 
> --
> Peter



More information about the Operators mailing list